Constructivist Information Security Awareness

M.Boujettif (Italtel, boujettif@yahoo.com) & Y.Wang (UCCC)

BWCCA 2010

Fukuoka Institute of Technology, Fukuoka, Japan

Abstract

The application a unique approach to enhancing information security awareness amongst employees, in effort to improve information security

Surveyed the current attitudes and awareness levels of 116 employees in 30 companies towards information security

2 companies opted to implement our new approach (CISA) based on a highly-employee centred constructivist method

The CISA approach aims to benefit the employees at

different levels as it effects and encourages employee learning autonomy

Constructivist Information Security Awareness (CISA)

CISA encourages CIO’s and end users to improve their awareness regarding risks associated with utilising ICT

CISA builds a conscious awareness of ones own

attitude. This is deemed important in improving information security

Attitudes play an important role in information security behaviour

We confirm a positive correlation between poor/negative attitudes and low levels of information security

Introduction

Interviewed CIO’s;

We established their current information security levels and Conducted questionnaires to determine the employees’ attitudes

Compared the results for any suspected correlations

2 companies’ chosen which were established as having poor information security and whose employees exhibited negative and/or poor information security attitudes:

We introduced them to our unique information security programme (CISA) based on constructive methods

Research Questions Research's main questions:

Correlation between information security levels & attitudes towards information security?

Usefulness of constructivist training methodologies to improve information security awareness?

Expected - Companies had security awareness campaigns but do they measure the effects of such campaigns on the employees’ attitudes and behaviour?

How do we know that the campaigns are working? Do the campaigns really improve users’ attitudes and behaviour

towards information security?

Results were used to establish effective security campaigns based on constructivist approach

What is this approach? Individualised, user-centred free learning environment where users are in

control of their own learning process Investigation has never been applied in the context of information security, IT

security (even telecom security), and this makes this project unique

Human Element

Information Security : Traditionally conjures up images of complexity (HW & SW) – Only implementable by a professional security firms!

Previous researchers, like Stanton et al (2003), Schneier (2000), and Katsikas (2000) have warned that

“it’s not only the technical software or hardware aspects that introduce vulnerabilities into an information system, rather it’s the users of the system which pose the greatest and most serious information security risk.”

The human element needs to be dealt with first and foremost! Stephanou & Dagada (2008)

Procedures/ Policies are implemented to encourage people (Administrators/ Users/ Operators) how to use products to ensure information security within the organizations

Importance of Human Element

Natural question: How do we deal with or influence the human aspect?

Rules/Threats; Punishment maybe? Fine?

Imprisonment? Loss of Job? Information! Training! Education!

Training & education in a subject – Better track record of effecting the perceptions/ attitudes towards that subject

Environment and pedagogy (methods of training) have a lot to do with the individuals’ perception (Ann, Timothy and Laubach [2001])

Changing or improving perceptions/attitudes towards something is rather challenging – Why?

Avoiding? Moving Away? – Bad Perceptions & Feelings!

Exemplified in the fields of academia/training where peoples’ dislike of challenging subjects (such as Science and Mathematics)

An effective ISA Programme needs to seek to influence and improve the users’ education training, and guide their understanding of IS concepts

Middle Eastern Companies

Home grown Middle-Eastern companies pay little attention to ISA:

Never existed Little understood / appreciated

Ambiguous and ineffective policies towards information security are due to:

Genuine lack of awareness Blasé attitude by both senior

management and senior security professionals

Campaigns were basic (warnings via email/ posters)

Increasing the appreciation of ISA programmes was done by ensuring the development of effective employee centred programmes:

Entails imparting of knowledge whether in a training format or in a more academic format

Information presented in a manner that is designed to change unfavourable perceptions and attitudes to desirable ones

Attitudes & Perceptions

What are perception and attitudes?

Attitudes govern a person’s personality beliefs, values, and motivations

Three components: 1) Affect (feeling), 2) Cognition (thought or

belief) 3) behaviour (an action)

Individuals even try to employing interesting tactics in an attempt to reduce dissonance (conflict)

Eliminating his/her responsibility or control over an act or decision

Denying, distorting, or “selectively” forgetting information

Minimizing the importance of the issue, decision, or act

Develop an ISA programme that reduces the cognitive dissonance (conflict)

Attitude formation: a result of learning, modelling others, direct experiences with people and situations

Attitudes have different strengths, and are learned or influenced through experience and they can be changed!

The method of measuring/assessing attitude via how strongly one agrees or disagrees (like or dislike) with a statement and ticking a 1–5 scale

Constructivism

Anything that may cause a sense of failure and/or negative feelings – Complexity is one of them

Attitude change occurs – addressing cognitive and emotional components via new information

Employing methods utilised in

pedagogical circles. Have track record of yielding positive results

One proven method in making positive changes to ones attitude and perceptions; Constructivist methodology

“...commitment to the idea that the development of understanding requires active engagement on the part of the learner.”

Naylor and Keogh (1999)

“...principles of this approach ... learners can only make sense of new situations in terms of their existing understanding. Learning involves an active process ... learners construct meaning by linking new ideas with their existing knowledge.”

Active learning approaches were found to be beneficial and positive in improving academic achievement,/ attitude and concept learning(Anzai & Simon [1979], Maria & Rosetta [2005])

CISA Programme

Our CISA Programme entails:

Elements of transfer of knowledge

Conducive environment of learning

Material is learner-friendly/learner-centric

Little or no instruction or explanation

Encourages active and engaging environment with virtual independence in learning

CISA approach allow users to develop information security material and activities that would contain their own terminology and explanations which they themselves construct and understand

Avoids passive learning

Move towards active and interactive learning

Learners relate information security to their daily lives and how it affects them and their colleagues

The material: information security warnings, posters, emails and policies can sometimes be daunting and unwieldy therefore allow participants to feel more ownership in gaining a deeper understanding. Guaranteed since they constructed the material that they comprehend and understand

Method and Realisation

Sample size: 240 individuals, only 116 responded accurately and concisely

30 CIO’s interviewed Survey attitudes and perceptions

Questionpro (2007) University of Florida IT Security

Awareness (2009) TCET (1997)

Results were validated for consistence and disparate answers were removed leaving only consistent data outcomes

Single case-study with a questionnaire administered in two companies (sample ISA material)

Sample Size

No ResponseRespondedCIO

Results: Information Security Awareness ISA

Respondents indicate shocking low level of information security awareness for example their internet and email usage behaviours:

Rather concerning results - Real lack of training ISA needs

Current ISA programmes are ineffective and have profound consequences on information security

No backup of work files

Simple pass-word structure

Without latest updates

0%10%20%30%40%50%60%70%80%90%

100%

ISA Awareness

Not Aware of Viruses etc

Vulnerable to attack

Never used firewalls

Ignorant of Phishing

57%

58%

59%

60%

61%

62%

63%

64%

65%

66%

Results: Employees’ ISA

Information Security policies, procedures were little understood and rarely recognised or appreciated;

Concerning situation: witnessed in the majority of KSA companies give us a reasonable microcosm of the possible state of information security awareness in and around the Middle East

Secur

ity D

ept

Secur

ity P

olicie

s

Term

IS

Secur

ity P

roce

dure

s

ISA S

pecia

list

ISA M

ater

ial N

ever

Pub

lishe

d

Secur

ity In

fo B

y W

ord

of M

outh

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Levels of ISA

Results: Respondents’ Attitudes

Respondents’ Attitudes: Respondents’ attitudes towards interactive learning as indicated by the respondents were positive:

Activities that may motivate the learning of new concepts were ones which required challenging, creating and Inventing activities as indicated by the results:

Challe

nges

Inve

stiga

ting

Inte

ract

ive L

earn

ing

PC Bas

ed A

ctivi

ties

PC Ove

r Rea

ding

0%

20%

40%

60%

80%

100%

Attitudes To Learning

Uniqueness Doing Inventing Groups

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Learning New Concepts

Results: Learning Environment

When faced with a learning environment which either meant learning by oneself or in a team with colleagues the following results were garnered:

In terms of the importance for there being an enjoying and fun environment:

Lear

ning

From

Oth

ers

Discus

sion

Gre

gario

us

With

Coll

eagu

es

Compe

titive

0%

20%

40%

60%

80%

100%

Learning Environment

Enjoyable Atm. Challenging Problems

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Results: Learning Preferences

Respondents’ attitudes towards their thinking styles may indicate their preferences on how they approach challenges in learning etc.:

Apply

Lear

nt

New W

ays

Futur

e O

rient

ated

Exam

ine N

ew

Differe

nt S

olutio

ns

0%10%20%30%40%50%60%70%80%90%

100%

Preferences

Respondents’ attitudes towards visual stimuli were quite conclusive and were recorded as follows:

TV Over Book

TV Over Writing

TV Over PC

0%10%20%30%40%50%60%70%80%90%

100%

Visual

Constructivist ISA: Task 1

Employees requested to construct an email message in 45 minutes (after CIO scrutiny)

Access to resources (internet, written material on IS etc) requested to examine and identify important ISA aspects which needed to be transmitted in the email that they created. Requested to make it creative and funny. To encourage more fun, kinaesthetic

Focus on convergent and divergent thinking by encouraging and balancing fact (actual ISA information) and feasibility (funny cartoon), and striking equilibrium between structure and flexibility

Remarkable features: Vocal and visible expressions of happiness and jubilation

from the groups were experienced Excited and animated on returning their created

group effort email Happy and cheerful for completing the task

Constructivist ISA : Task 2,3,4,5...

Sample Task 2: Videoed Presentation : Produce a 2 minute videoed presentation similar to a youtube.com

Sample Task 3: Quiz Creation: Produce an ISA quiz written around a geometric shape that would be cut converted into a 3D shape e.g. a cube. displayed on their desk

Sample Task 4: Poster Creation: Importance of Backup

Sample Task 5: For and Against Discussion : Chose an ISA concept from set cards then instructed to think up arguments for and against later asked to defend the concept

Sample Task 6: Approximations : Employees requested to guess as accurately as possible the volume capacity of two vessels (e.g. a cup and testtube) representing ISA statistics

Evaluation Our survey shows that 91% preferred the

CISA constructivist approached (App. 2)

Traditional methods of disseminating and delivering ISA programmes maybe ineffective

Negative effect on the intrinsic motivation/ attitude in learning ISA concepts

Employees preferred to develop and construct their own material interactively

CIO’s should consider adopting constructivist methodologies to improve ISA awareness

Employees’ attitudes had transformed when CISA was implemented

Employees wanted freedom from the confines of formal passive learning (in keeping with previous research findings)

Case Study Results

Approach 2Approach 1

CONCLUSIONS Employees can be blamed for traditional ISA paradigm as they tend to expect experts

to transfer the knowledge to them

Learners construct their own knowledge - interaction with environment

At the heart of CISA approach: Employees must understand Information Security but also develop thinking skills (analysis, reasoning, problem solving) otherwise they gain only a superficial attitude and awareness towards ISA

Security experts should employ constructivist methods

This study made use of constructivist methods to enhance employee awareness of information security ideas and concepts through the interactive collaboration of employees in playing a more centric role developing and enthusing the company ISA program with interactive and enjoyable activities

There was a perceived improvement in information security awareness. The significant findings and results of this study were;

91% of the employees in the case-study preferred the new approach (Constructivist ISA) as opposed to traditional programs

94% of the employees surveyed were dissatisfied with their companies’ current information security programs

Thank You